This topic summarizes the firewall rules required for migration with vMotion, both in your on-premises and cloud data centers.

VMC on AWS Firewall Rules for vMotion

Ensure that the following firewall rule are configured in the VMC Console.

Use Cases

Source

Destination

Service

Provide access to vCenter Server from the on premises.

Use for general vSphere Client access as well as for monitoring vCenter Server

remote (on-premises) vSphere Client IP address

vCenter

HTTPS

Allow outbound vCenter Server access to on-premises vCenter Server.

vCenter

remote (on-premises) vCenter Server IP address

Any (All Traffic)

Allow SSO vCenter Server

remote (on-premises) Platform Services Controller IP address

vCenter

SSO (TCP 7444)

ESXi NFC traffic

remote (on-premises) ESXi VMkernel networks used for NFC.

ESXi

Provisioning (TCP 902)

Allow outbound ESXi access to on-premises .

ESXi

remote (on-premises) ESXi management VMkernel networks

Any (All Traffic)

Allow vMotion traffic.

remote (on-premises) ESXi vMotion VMkernel networks

ESXi

vMotion (TCP 8000)

On-Premises Firewall Rules for vMotion

Ensure that the following firewall rules are configured in your on-premises firewall.

Rule

Action

Source

Destination

Service

Ports

On-premises to vCenter Server

Allow

remote (on-premises) vSphere Client subnet

VMware Cloud on AWS vCenter Server IP address

HTTPS

443

Remote to ESXi provisioning

Allow

remote (on-premises) subnet

TCP 902

902

Cloud SDDC to on-premises vCenter ServerAllow

Allow

CIDR block for cloud SDDC management network

On-premises vCenter Server, PSC, Active Directory subnet

HTTPS

443

Cloud SDDC toESXi Remote Console

Allow

CIDR block for cloud SDDC management network

VMware Cloud on AWS vCenter Server IP address

Cloud SDDC to Remote LDAP

Allow

CIDR block for cloud SDDC management network

Remote LDAP Server

TCP

389, 636

Cloud SDDC to ESXi vMotion

Allow

CIDR block for cloud SDDC management network

Remote ESXi host subnet

TCP

8000